Oh boy. Has it never occured to you that letting any visitor write directly into your HTML document might be a bit ... problematic?

Take those scripts offline before the script kiddies and criminals find it.

Your website doesn't have any protection at all, and you've just told the general public. This means you have to act now. First of all, delete all scripts which process user input (like the testimonials). Only leave the static pages. Then you have two options:

Learn how to write secure code and fix the scripts yourself. This will take a lot of time and readiness to learn. To get a basic understanding of web security, check out The 6 worst sins of security.

Hire a professional programmer to fix the code for you. This will be costly. You also have to be careful, because a lot of the "web programmers" out there don't know what they're doing and will give you nothing but trouble. A good way of dealing with this is to first ask them for some comments on the code and concrete suggestions. And then you show those to us (with their permission, of course) so that we can give you a rough estimate of the programmer's abilities.

By the way, those "<br>" come from empty submissions. Since you don't check the input (not even the CAPTCHA), I can click on the button without entering any text. But like I said, that's really your least problem right now.

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

Taking user input itself is not bad. That's how this forum works. But if you take the raw input and just dump it on the page, you let anybody on this world manipulate your page. A script kiddie might use this to put up some "Hacked by xy" message. A criminal might misuse your page to spread malware and break into the computers of your users.

Deferring the messages doesn't help you if your database code is vulnerable as well -- and that's what I expect. To me it looks like you have no security concept at all.

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

What are you talking about? I told you exactly what you need to do and pointed you to an article which explains all security basics you'll need to know. paulh1983 also pointed you to the various security articles in this forum.

We're not gonna spoonfeed you, if that's what you're waiting for. If you were a 12-year-old kid who just started with their very first home page, then maybe I would actually take your hand and walk you through the code line by line. But you're a grown-up man who makes a living from writing code. I expect you to to be able to learn from articles and think for yourself.

If you can't do it, then hire somebody who can.

Comments on this post

paulh1983 agrees
: i agree! furthermore jacques help us more than his fair share, just because it is a forum doesnt mean we are obliged to help you! we have lives, work etc. btw I am unable to give you any rep points, tried before too.. weird

Why canít I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".